Meeting Crime with an Open Source Mind 



Who are we ? 



Newly formed hacker 
space 

Located at: University 
of Delaware 




Headed by Dr. Fouad 
Kiamilev and CVORG 

• Result of DEPconl6 



Research Hardware 
Security 



Members 



Alex 'honco' Lindley 
Burke 'burk3' Cates 
Josh 'grungy' Marks 
Lawrence 'cuddles' Aiello 
Michael 'surfingcat' Natrin 



Nick Waite 



Rob 'rob3ar' Rehrig 
Robert 'jazzman' Haislip 
Steve 'afterburn' Janansky 




Many projects in need 
of "brains" 

Needed to feel 
zombies 

Quick solution: use 
embedded router 



Provides network link 



Lots of CPU Power 






General Purpose IOs 



The Problem 



Most routers have limited number of 
GPIO 

Most projects required more 
More in quantity- 
More in capability (less bit-banging) 

Desire to be able to cut power 



The Solution 



Add micro-controller 



Connect via RS-232 
Make it act as: 

• pseudo-service processor 

• port expander 



Provide better control 
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Running 
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current 



(Standalone HCS08) 



Sense Circuits &? Switch Control PON RS23S header 






FON gpio 
connector 



3.3V power converter 



Power Switch 




Power 
Input 



port "breakout header 
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Datalogging 
- SDcard 



Wireless sensor mote 



Zigbee, low power sleep mode 
Flexible & Extensible 



Connectors on separate 



Sensor Board Features 

SD card FAT 16 support 

Lotsa pins 

25 mA real-time clock mode (total current) 

Wide input voltage range (4 to > 15 V) 

Can sense own battery voltage 

Onboard switching power converter 

Zigbee/802.14.5 support with XBee module 



Insufficient CPU power to support Skynet 
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Wireless Routers 

• Fast (> 100 Mhz) 

• Easy (compile a package) 

• Hungry (1-3 W) 

• Limited 10: 

• Ethernet 

• 802.11 

• USB 

• GPIOs (a few) 

• RS232 



Microcontrollers 

• SlOW (<20 Mhz) 

• Harder (you code it yourself) 

• Low Power (< 30 mW) 

• All about 10: 

• I 2 C (for temp sensors, etc) 

• SPI (for SD) 

• A/D ( 1 bits for 1 00 KHz) 



GPIOs (a few) 
ruS232 
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Integration to make a system 



FOSS + a router + some custom glue = ? 

• a web-integrated custom security solution? 

• in a month (don't cut yourself on the rough edges) 

• pretty much anything at all? 

• hardware seems pretty similar to Open Vulture 

• routers + usb- can do nearly everything 

• for everything else there's microcontrollers 

• great time to he a hardware hacker 
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Router to 
Microcontroller 



Link via RS-232 



Scripted Comm Link 
Perl Device::SerialPort 
Python pyserial 

Opcode like protocol structure 
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The Idea: 



Add support for other 
10 





Sup Dawg! ? We heard you like ten internets, 
so we soldered a router to your car so you can 

waxdrive-drive-by ! 



Design software to 
interface better 

Make system project 
independent 

Open Source (aka I 
can't code well) 
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The Circuit Breakers 



Gave the group the 
base platform 

Asked them to design 
a project using it 

Decided on security 
application 

"Death March to 
Shmoocon" began 




3. 
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Requirements 

• 802.11 b/g 

• USB 2.0 



UART/Serial/RS232 
OpenWRT Support 



Routers vs TCB 

Round 1 : FIGHT 



ASUS WL-520GU 



Broadcom BCM5354 

Contender for worst 
UI ever 



# • 




to 



OpenWRT Work-In- 
Progress(WIP) 

Small amount of flash 
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Routers vs TCB 
Round 1 : Routers win 



USB 2.0 - kernel 2.6 
only 

wl module - kernel 2.4 
only 

b43 - unsupported 
(LP-PHY) 

Conclusion: Fail 

Grungy angry (sore 
loser) 
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Routers vs TCB 

Round 2: FIGHT 



Ubiquiti 
RouterStation 

Preloaded with 
Kamikaze &S.6 
Kernel 

Mini-PCI support 

Extremely powerful 
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Routers vs TCB 
Round 2 : Draw ! 



Late shipment 

Power Supply 

Lack of 
documentation 



Weirdness with USB 



Costly in power 
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Routers vs TCB 

Round 3: FIGHT 



Pon 2.0 Beta 




Shipping for 
developers 


1 ■» INTERNET 
1 ^3D COMPUTE* 
1 ^mt WIRELL 


Same SoC as previous 
versions 


^3 (SB 
1 ■■§ POWER 


Supports 2.6 Kernel 






Routers vs TCB 



I 



Met all goals 
Small and compact 
Easy to work with 
Decent price ($50) 



Great solution! 
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Multiple Peripherals 

• Standard I/O 

• Digital Interrupts 

• Tx/Rx Interrupts 




Analog - To - Digital Conversion 



Passive IR Sensor 

$ 10 at Radioshack 




3 pin connection 



Igital sensor output 



30 second startup time to allow 
environmental adjustment 

How does it work? 

If temperature passing scope is different 

than initial setup environment 

temperature, trigger interrupt 
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Tripwires 

7 Audio Sensor VI 





* 



[Test Environment] 




Reflectors 



Audio Sensor 



, 



Tripwires 
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Power 



If using a 5.0V source 



Running Mode: 

(5.0V) x (10 mA) = 50 mW 



Low-Power Mode: 



(5.0V) x (24 mA) = 120 m"W 



What's the need? 

We are using a battery source out in the 

environment 
=> Save Battery Life ! 
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Router - Microcontroller 



Interface 



KBI For PIR 



uController 



Router 




Tx/Rx 



Serial COM could not wake computer 
via router signal because real time 
clock is disabled. 

Solution: 



=> Split router signal to enter both KBI 
and Rx pins 



KBI 



Microcontroller 



Incoming Signal 



Pulse-Width Modulation 




Run LED at 36kHz 
50% duty cycle 



In combination with RTI, saves power 






TPM1SC = 0x08; // set TPM to BUSCLK 
TPM1MOD = 511; // set PWM to 36kHz 
TPM 1 COSC = 0x28; // set to high-true 

mode 
TPM1C0V = 256; // set duty cycle to 50% 



T=l/f 



50% 



desired frequency 



20% 



duty cycle 



33 



Hardware 



Simple IR LED circuit 



IB. LED circuit 



2N2219A 



TIL31B 5D% 



PWM from port 
Transistor 
15mA 
Sensor 
From remote control 
3.3V 
OUT to port 



PTDO 



y ri 



IDu 



IR Sensor 



. 1DD 
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R2 
3.3 



D2 
D1N414S 
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together 

Reflector to 
send back 
signal 

IR Sensor is 
very sensitive 
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Last Minute Idea 



Need a case for sensors 

Random Nintendo parts laying around 

Specifically an old IR 
controller pack 

The guts of an NES 
which includes 
controller ports 
Plug-in port wired to uC 
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Our Sensor 



Cased sensor 



Uncased sensor 




Controller 

inputs in 

order to plug 

in sensors 
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Method 

Used an RTI (Real Time Interrupt) to 
count every tenth of a second 

Did this to utilize PWM that Rob3ar made 



By setting flags, program could tell if a 
person exits or enters an area 

Code woken up by a PIR sensor as 
discussed by Surflngcat 



rilC- iv^Vr 1 * ^j?' Ji, l *" 1 J <i 
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Useful for our purposes because it works with the Pulse-Width 
Modulation (PWM) 

Need to acknowledge the interrupt in code so it can interrupt again 

Function name is unique (called Vectors) 



SPMSC1 = 0; 

SPMSC2 = 0; 
SRT1SC_RTIS0 

SRT1SC_RTIS1 
SRT1SC RTIS2 



// Sets RTI interrupt to 128ms 



Vector name: void interrupt VectorNumber Vrti rti isrfvoid' 



Acknowledge flag placed in code: SRTISC RTIACK= 1; 



The Actual Sensor 



Connected infrared sensors to 3 pins onboard (0,l,and 2 
on Port A) 

Transmitter sent a low signal that was pulsed every 1/ 10 
of a second using PWM 



If sensor did not detect the signal, sensor read back a high 
signal instead. This high signal indicates that a person is 
blocking the transmitter's signal 



Used flags to "filter" signal 
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Two Different Situations 

1 Either one person walking through or multiple people 



If the sensors activated in the order left -> center -? right or 
vice versa, it meant that only one person was walking 
through 



If the left and right sensors activated before the center one 
did, meant that multiple people were entering at same time 

Computed people moving in and out differently according to 
the situation 



EU-15 Countries 




11 = 11 

nil 




Germany France Luxembourg Belgium The N> 




Denmark Swed 




The reason all this worked 



Spain Portugal 

EU-25 Countries (2004) 





k.ifl« I 
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False Positives 




M 



Added a small 
counter inside 
program that 
counts and after a 
while deletes all 
saved data 

Activates counter 
whenever a sensor 
is tripped 



Takes one second to reach the end of it's count, 
which means apocalypse for the algorithm data 



Makes algorithm a little bit more accurate 
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Some Problems 



Inaccurate readings 

1 . People can mess up count 

2. Really difficult to make 100% accurate 



Code is a little rough 





Alternative way to implement program 
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Conclusion 



RTI 



How this code fits into the system 

Problems are there but program will 
still do its job 

Word to my World of Warcraft homies 
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Scream and Gunshot 

Detection 



Hardware by: Alex {Honcho} L 
Programming: Rob {jazzman} 



Detect large changes in ambient sound. 
Geared towards Gunshots and screams 



Send information to Security 
monitoring personnel 



Possible Problems? 



False Positives 



Groups of Freshmen 



Groups of girls 
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Y Axis: Sound Level 




x axis: Distance from sensor Platform 
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X Axis: Time 
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Initial Build 



Acoustic Sensor using LM324 Op-Amp 
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Y Axis: Sound Level 




X Axis: Time 
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Woo cool oscilloscope outputs ! 



Woo cool oscilloscope outputs ! 



M Pos: 0.000s 







:H1 1.00V CH2 1.00V 



M 10.0ms 
27-Jan-09 02:31 
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M Pos: 0.000s 




TRIGGER 
Type 




Source 




Slope 




Mode 



Normal 



Coupling 




ICH1 500m V CH2 200m V M 10.0ms 

6-Feb-09 10:10 



CH1 I 400mV 
<10Hz 



Python: Squeezing Data out of 

HTML 



A Data Mining Experience 
Handling poisonous reptiles next. . . 



Data mine publicly available police 
reports 

(http://www.udel.edu/PublicSafety/ 
crimestats.htm) 

Answer strategic project questions 

Placement of Sensor Node 

"Hot" times of the day 

Design a User Interface frontend to 
the database. 



Data Flow 



Start: 
Crime Stats web page 






HTML 



Python - 
SGML Parser 



Text 
in .csv file 



MySQL 
Database 



User Interface 

...Run in with Little 

Bobby Tables... 



KML file for 
Google maps 



End 
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Incident # 


Thne 


Description 


Location 


Disposition 


03-03793 


0112 


Moving Traffic Violation 


Academy Street/Lovett Avenue 


Arrest 


03-03300 


1413 


Hit & Run Accident 


Clayton Hall Loading Dock 


Service Clear 



Program reads the table 

cell data into a list 

variable i 

Filters data along the HTML Source 

way highlighting <p> tag 

Handles HTML Oddities J" 

Writes the list to a .csv 03-03793,01 l£,Moving 

file (because using Traffic Violation, 

memory might have been Academy Street/Lovett 

efficient. . .) Avenue, Arrest 
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HTML Oddities 



Don't use Microsoft Office to make 
web pages... 

Weird HTML happens - <td><p>....</ 
td> 

Why do you need the paragraph tag? 

...I don't know 

Nuff said 



Filename: Boo ^ 

Save as type: 

Page title: 

5ave: Ent j re Workbook Q Selection: Sheet 



Change Title. 



...<html> 
<head> 
<title>Test Site</title> 
</head> ... 
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The Google Maps 
gave us a visual 
representation of 
crime areas in our 
town. 



Each yellow 



laiHfiyHcitatfotitfcicfcoiitei 



a group of crimes. 

This made it 
easier to pick out 
high density crime 

areas 



1 1 1 f v *j 



~:*~ 



Pttge 






//-- 



g 



l,ed Property 




M\r '*m*tmBtimi... 



:f 



V?*' 




I" 



TE tJ 



iG'raffiti' 



iTiheft from Building 



: *W5»>* 






fifc 



i'< 






•JH3 




WW! 



Ml 



bfo 



Trespass 



"iniiirMIKiI 










Alcohol violation 



JSP' 



•.*« 



||o^ 



User Interface 



Searchable History feature 
Real time alert updates 




Current Status Crime Map 



Description: 
IncidQnttfi 



CrimeTracker 



Location 


Date 


Crime 












































Location! 


Euans Hall| 








User Interface 



Searchable History feature 
Real time alert updates 
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Current State of Video 



Currently no single best solution 
Most systems very costly 
Open source systems do exist but. 
Limited to very specific uses 
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Open Source 

Adaptive background removal 



Object location coordinate output 



SwisTrack 



Based on OpenCV 

Simple object tracking pipeline 

NMEA object positions over tcp socket 
PERFECT for backend integration 



PS 3 Vision 



CvCell on the PS 3 



5BB9 



Cheap 

Open Source 

No need to change code 

Full of fail (thus far) 
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I 



Meh 



• -) Tracks humans 
(-) Tracks moving trees 
(-) Depends greatly on environment 
(+) Outputs in backend friendly format 
So false positives could possibly be 
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Idea! 



Implement a kind of crime spam filter 
Inputs: what our sensors are seeing 
Output: probability of bad stuff going on 
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Solution 



Format sensor data into some kind of 
common textual format 



And throw them into.... 



dbacl 
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Results 



Awesome idea and simple 
implementation 

Needs MAJOR tweaking 
Needs LOTS of teaching 
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Conclusion 



Routers + uControllers = Rule teh 
World 

Will Open Source soon 

Check out http://tcb.udarknet.com 

HACK THE PLANET! 
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We Love Company, Come & Play! 




